I read that some companies are avoiding using cloud services because it creates cloud compliance issues, but that...
doesn't make sense to me. Why is compliance an excuse to not use the cloud? What extra compliance challenges does the cloud create?
Cloud compliance issues should absolutely not be a barrier for organizations seeking to move computing resources to the cloud. I've personally worked with dozens of organizations that operate in highly regulated environments and have moved some or all of their computing resources to cloud service providers. I am not aware of a single mainstream regulation that prohibits the use of cloud providers.
Cloud providers understand that many customers have concerns about cloud compliance issues, and they have gone out of their way in recent years to ensure that their operations comply with relevant standards and to make the details of their compliance available to their customers.
Amazon Web Services and Microsoft Azure, the two largest infrastructure as a service providers, publish compliance details on the web and certify that their operations are compliant with the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA), among dozens of other standards. Other major public cloud providers also have detailed information about how their services address major compliance requirements for customers, so enterprises shouldn't have a hard time finding the information they need.
The key thing for customers to remember is that security and compliance are both always shared responsibilities. While a cloud provider may operate their own systems and business processes in compliance with a particular standard, the customer remains responsible for ensuring that they use those services in a manner that remains compliant. However, that's certainly an achievable task, as demonstrated by the many regulated organizations currently using cloud computing services.
Ask the expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn about the ups and downs of cloud compliance
Find out how to meet HIPAA requirements with personal cloud storage
Check out how to secure data and ensure compliance in cloud-based services
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading